Meta Data Is Not Stripped From images in polonel/trudesk


Reported on

May 23rd 2022

  1. Hey team, while uploading site/page logo as an administrator, The meta data of the image like geolocation, device information, version, nameetc is not getting stripped, as a result the attacker can collect all the meta data information of the image by using tools like exif tool, metadata checker etc which is publicly available.

Steps to reproduce:

  1. Upload site/page logo
  2. copy the image location and save it or check the meta data directly by this site
  3. The all information on the image(meta data) will be publicly disclosed

Patch recommendation:

  1. Remove the meta data from uploaded images


  1. This vulnerability impacts and violates the privacy of the one who uploads the image, because the meta data will be publicly accessible by third party attackers via the common predictable endpoint
We are processing your report and will contact the polonel/trudesk team within 24 hours. a year ago
Akshay Ravi
a year ago



Hey @maintainer, As an normal user can also access the image with no privileges, beacuse the site logo is common for is the POC👇:

I was added the CVSS score as low(3.3), feel free to change it to medium or higher than (3.3) if you wish as per these impacts, thanks

We have contacted a member of the polonel/trudesk team and are waiting to hear back a year ago
Chris modified the Severity from Low (3.3) to Medium (4.6) a year ago
Chris assigned a CVE to this report a year ago
The researcher has received a minor penalty to their credibility for miscalculating the severity: -1
Chris validated this vulnerability a year ago
Akshay Ravi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
a year ago


This has been fixed and will release with version 1.2.3 I will update this report once released.

We have sent a fix follow up to the polonel/trudesk team. We will try again in 7 days. a year ago
Chris marked this as fixed in 1.2.3 with commit ae904d a year ago
Chris has been awarded the fix bounty
This vulnerability will not receive a CVE
to join this conversation